Thailand Law Library

by Thailand Lawyer

The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.

In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time of such collection, of the following details, except in the case where the data subject already knows of such details:

1. The purpose of the collection for use or disclosure of the Personal Data, including the purpose which is permitted under Section 24 for the collection of Personal Data without the data subject's consent;
2. Notification of the case where the data subject must provide his or her Personal Data for compliance with a legal obligation, or for the performance of the contract, or where it is necessary to provide the Personal Data for the purpose of entering into the contract, including notification of the possible effect where the data subject does not provide such Personal Data;
3. The Personal Data to be collected and the period for which the Personal Data will be retained. If it is not possible to specify the retention period, the expected data retention period according to the data retention standard shall be specified;
4. The categories of Persons or entities to whom the collected Personal Data may be disclosed;
5. Information, address, and the contact channel details of the Data Controller, where applicable, of the Data Controller's representative or data protection officer; and
6. The rights of the data subject under Section 19 paragraph five, Section 30 paragraph one, Section 31 paragraph one, Section 32 paragraph one, Section 33 paragraph one, Section 34 paragraph one, Section 36 paragraph one, and Section 73 paragraph one.

The Data Controller shall not collect Personal Data without the consent of the data subject, unless:

1. It is for the achievement of the purpose relating to the preparation of historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;
2. It is for preventing or suppressing a danger to a Person’s life, body, or health;
3. It is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
4. It is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;
5. It is necessary for legitimate interests of the Data Controller or any other Persons or juristic persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject of his or her Personal Data; or
6. It is necessary for compliance with a law to which the Data Controller is subjected.

The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:

1. The Data Controller has informed the data subject of the collection of Personal Data from another source without delay, but shall not exceed thirty days upon the date of such collection, and has obtained the consent from the data subject; or
2. It is a collection of Personal Data which falls within the exceptions to request consent under Section 24 or Section 26.

The provisions with respect to notice of the new purpose in Section 21, and the notice of information details in Section 23 shall apply mutatis mutandis to the collection of the Personal Data which requires consent in paragraph one, except for the following circumstances:

1. The data subject has been aware of such new purposes or details;
2. The Data Controller can prove that the notice of such new purposes or information details is impossible or will obstruct the use or disclosure of the Personal Data, in particular for achieving the purposes in relation to scientific, historical, or statistical research purposes. In such cases, the Data Controller shall take suitable measures to protect the data subject's rights, freedoms, and interests;
3. The use or disclosure of the Personal Data shall be carried out on an urgent basis as required by law, and suitable measures have been implemented to protect the data subject's interest; or
4. The Data Controller is aware of or acquires such Personal Data from his or her duty, occupation, or profession, and shall maintain the confidentiality of any of the new purposes or information details as prescribed in Section 23 as required by law.

To notify the information details in paragraph two, the Data Controller shall provide such information to the data subject within thirty days after the date of collection of such Personal Data, unless the Personal Data are to be used for communication with the data subject, in which case the notice of information details shall be provided at the time of the first communication to that data subject. If a disclosure to another Person is envisaged, the notice of information details shall be provided prior to the time of the first disclosure.

Any collection of Personal Data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Committee, is prohibited, without the explicit consent from the data subject, except where:

1. It is to prevent or suppress a danger to life, body, or health of the Person, where the data subject is incapable of giving consent by whatever reason;
2. It is carried out in the course of legitimate activities with appropriate safeguards by foundations, associations, or any other not-for-profit bodies with political, religious, philosophical, or trade union purposes for their members, former members, or persons having regular contact with such bodies in connection with their purposes, without disclosing the Personal Data outside such foundations, associations, or bodies;
3. It is information that is disclosed to the public with the explicit consent of the data subject;
4. It is necessary for the establishment, compliance, exercise, or defense of legal claims;
5. It is necessary for compliance with a legal obligation to achieve the purposes with respect to:
   1. Preventive medicine or occupational medicine, the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care, medical treatment, or the management of health or social care systems and services. In the event that it is not for compliance with a legal obligation, and such Personal Data is under the responsibility of the occupational or professional practitioner or person having the duty to keep such Personal Data as confidential under the law, it must be for compliance with the contract between the data subject and the medical practitioner;
   2. Public interest in public health, such as protecting against cross-border dangerous contagious disease or epidemics which may be contagious or pestilent, or ensuring standards or quality of medicines, medicinal products, or medical devices, on the basis that there is a provision of suitable and specific measures to safeguard the rights and freedom of the data subject, in particular maintaining the secrecy of Personal Data in accordance with duties or professional ethics;
   3. Employment protection, social security, national health security, social health welfare of the entitled person by law, the road accident victims protection, or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Data Controller or the data subject, and suitable measures have been provided to protect the fundamental rights and interests of the data subject;
   4. Scientific, historical, or statistical research purposes, or other public interests which must be carried out only to the extent necessary to achieve such purposes, and suitable measures have been provided to protect the fundamental rights and interests of the data subject as prescribed by the Committee; or
   5. The substantial public interest, and suitable measures have been provided to protect the fundamental rights and interests of the data subject.

The biometric data in paragraph one shall mean the Personal Data arising from the use of techniques or technology related to the physical or behavioral characteristics of a Person, which can be used to identify such Person apart from others, such as facial recognition data, iris recognition data, or fingerprint recognition data.

In the case of the collection of the Personal Data relating to criminal record, such collection shall be carried out under the control of authorized official authority under the law, or data protection measures have been implemented according to rules prescribed by the Committee.